I wanted the MDS switches to finally be added to TACACS so that the backup scripts can run with the TACACS login they have for the standard routers/switches. Here’s the code used (note that the fallback to local auth is also enabled if tacacs is unavailable):
tacacs+ enable tacacs+ distribute tacacs-server key whatevs-key tacacs-server host 10.222.222.222 tacacs+ commit aaa group server tacacs+ tacacs-group1 server 10.222.222.222 aaa authentication login default group tacacs-group1 local aaa accounting default group tacacs-group1 local
On Cisco ACS 5.x you need to add an option to the shell profile you use for TACACS. In my case I just added the attribute to the standard profile which gives ‘level 15’ privilege to passed authentications for other IOS devices.
Probably easier to show you in an image (below), but for MDS switches to work with ACS 5.x you need to add :
attribute -> shell:roles requirement-> Optional value -> network-admin